[sonic-cli] add sonic-cli which is based on vtysh.

[yongcanwang00]

- What I did
A new CLI ram which is based on vtysh.
- How I did it
(1) This CLI is running on host environment.
(2) Wrapping on current CLI to reuse it.
(3) It is developing based on VTYSH and support all commands of Quagga or FRR.
(4) Do command authorization by remote Tacacs+ server.

- How to verify it
Type 'cli' on linux.

[msftclas]

All CLA requirements met.

[lguohan]

how to build this one?

[yongcanwang00]

Guohan,

Build commands:
mkdir build
cd build
cmake ..
make package

There is another pull request on sonic-buildimage:
sonic-net/sonic-buildimage#1819

[JohnFanDNI]

Hi YongCan, I would like to participate this effort and make contributions. Please add me as the member and let me know what areas of tasks that I can be of help. Thanks

[yongcanwang00]

Hi JohnFanDNI, appreciate your contributions. I will send out another pull request to support FRR in weeks. There are still many commands supported on sonic click CLI but not here, maybe you can help to support them.

[jihaix]

Hi YongCan，I have some troubles in building this one. When I run command make package, it shows
"fatal error: libtac/libtac.h: No such file or directory". I can't find this file or directory in your sonic-cli directory，could you please tell me what's going wrong？

[yongcanwang00]

Hi Xiongjihai, Please check 0002-Fix-libtac2-bin-install-directory-error.patch in src/tacacs/pam/. BRS, Yongcan 发件人: xiongjihai <notifications@github.com> 答复: Azure/sonic-utilities <reply@reply.github.com> 日期: 2018年12月26日星期三 下午3:29 收件人: Azure/sonic-utilities <sonic-utilities@noreply.github.com> 抄送: "王永灿(大本)" <yongcan.wyc@alibaba-inc.com>, Author <author@noreply.github.com> 主题: Re: [Azure/sonic-utilities] [sonic-cli] add sonic-cli which is based on vtysh. (#275) Hi YongCan，I have some troubles in building this one. When I run command make package, it shows "fatal error: libtac/libtac.h: No such file or directory". I can't find this file or directory in your sonic-cli directory，could you please tell me what's going wrong？ — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[jihaix]

Hi, Yongcan
Thanks for your help , the problem has been solved !

[jihaix]

Hi，Yongcan
The function tac_get_priv_level works well and I get the priv-lvl from tacplus server. But function tac_cmd_author dosen't work well and permission check for command dosen't pass. I guess the confiuration of my tacplus client and server is not correct，Can you show me your tacplus server's version and templates of config file for both tacplus client and tacplus server？

• My tacplus server's version is：

root@linuxkit-025000000001:/mnt/build# tac_plus -v     
tac_plus version F4.0.4.26
ACLS
FIONBIO
LIBWRAP
LINUX
LITTLE_ENDIAN
LOG_DAEMON
PAM
NO_PWAGE
REAPCHILD
RETSIGTYPE RETSIGTYPE
SHADOW_PASSWORDS
SIGTSTP
SIGTTIN
SIGTTOU
SO_REUSEADDR
STRERROR
TAC_PLUS_PORT
UENABLE
__STDC__

• MY tacplus client's config file is /etc/tacplus_nss.conf：

server=172.17.0.1:49,src_ip=172.17.0.1,secret=tac_test,timeout=3

• My tac_plus server's config file is /etc/tacacs/tac_plus.conf

# Encryption key 
key = "tac_test"

# Set where to send accounting records
accounting syslog
accounting file = /var/log/tac_plus/tac_plus.acct

# ACL for network_admin group
acl = network_admin {
    # allow access to all devices
    permit = .*
    # implicit deny (ie: anything else)
}

# ACL for network_admin group
acl = sys_admin {
    # allow access to all devices
    permit = .*
    # implicit deny (ie: anything else)
}

# network_admin group, full access to network devices
group = network_admin {
        default service = permit
        expires = "Jan 1 2025"
        acl = network_admin
        service = exec {
                priv-lvl = 9
        }
}

# sys_admin group, only has read access to the network devices and can change the access vlan on an interface
group = sys_admin {
         default service = deny
         expires = "Jan 1 2025"
         acl = sys_admin
         service = ppp protocol = ip {
                 addr = 172.17.3.1  
         }
         cmd = enable {
                 permit .*
         }
         cmd = show {
                 permit .*
         }
         cmd = exit {
                 permit .*
         }
         cmd = configure {
                 permit .*
         }
         cmd = interface {
                 permit Ethernet.* 
                 permit FastEthernet.*
                 permit GigabitEthernet.*
         }
         cmd = switchport {
                 permit "access vlan.*"
                 permit "trunk encapsulation.*"
                 permit "mode.*"
                 permit "trunk allowed vlan.*"
         }
         cmd = description {
                 permit .*
         }
         cmd = no {
                 permit shutdown
         }
}

# User sonic using DES password and enable passwords
user = sonic {
    member = sys_admin
    login = des O7wu5.JX.pycw  #encrypted: sonic 
    enable = des EawW7SztxL3AQ #encrypted: enable_sonic  
}

# Global enable level 15 password
user = $enable$ {
    login = des  GrXwBd5MnQMYo #encrypted: enable 
}

[TencentSwitchGroup]

Hi Yongcan,
Have you submitted the PR for FRR? if not, what's your plan? Thanks.

[PrabhuSreenivasan]

Are we planning to go ahead with this PR?